According to a joint report by the FBI and the Department of Homeland Security, from early 2016 until late 2017 cyber attackers, most likely operating out of Russia, gained access to the control systems of power plants and other critical infrastructure in the United States. A recent article in the Wall Street Journal takes an in-depth look at how the intrusion worked at the ground level.
Networking
If you’re a hacker, your goal is access to a certain system or database. Since you can’t get that right away, you want the credentials of someone who does have access to it. If they’re too well protected, you find someone they trust and work with, but who is less protected, and target them (aka a Third-Party vendor).
Basically, starting from the primary target, you move outward, one professional connection at a time, until you find someone who isn’t as protected or vigilant. Then you target them, get their account, and work back inwards. In the Russian power grid attack, these were often contractors who drove trucks and provided services incidental to power generation.
Spearphishing
After compromising the accounts of low-security contractors, the next step was to leverage their connections to higher-security personnel. Attackers used hijacked accounts to send emails with malware attachments, which would then steal even more credentials. Because they had full control of the stolen email accounts, they could make the attachments seem very legitimate, verify them with follow-up emails, and shut down attempts to screen them. In one case, in the Journal article, a woman had to call the alleged sender by phone to find out the attachment was fraudulent.
Waterholing
As hackers used their first victims to attack higher-security victims, they also gained access to websites they knew other contractors and technicians were sure to visit as part of their jobs. This tactic is called “waterholing” because it mimics the way African predators wait near a water hole for prey – eventually, the prey will come.
Contractors frequent these sites for manuals, rulebooks, and other things connected to their jobs. Intruders altered some of the links so that instead of just industry-relevant publications, contractors downloaded more malware. Some were even tricked into running programs that gave the attackers remote desktop access.
Local admin accounts
With all the breaches they had made, the attackers were eventually able to create local administrator accounts for themselves and used them to place malware within the systems of primary targets like power plants. So far, we only know about them gathering information on how the power grid systems work and monitor themselves. The report does not say if they had the ability to tamper with the power supply itself or not, but the implications are serious. A foreign country with control of American power grids could cripple US military readiness in a war.
What next?
The FBI-DHS report suggests remedial measures going forward, including:
- Setting clear limits to the permissions regular users in certain systems have,
- Reserving some permissions only for administrators,
- Beefing up password security (letters, numbers, symbols, case sensitivity, frequent changes).
These measures will always be inconvenient for users and administrators alike. Some will almost inevitably get complacent, and if anything is certain, it is that human error and complacency are still the cyber attackers’ most effective weapons.
Multifactor authentication (MFA) – a combination of passwords, readable key cards, temporary codes sent by text message, etc. – may be a promising defense, as they significantly increase security while potentially feeling less onerous to users and local admins.
One of the more important measures employers should take for employees other than MFA is Security Awareness Training (SAT). SAT should be consistent, ongoing, interactive, and challenging training that offers penetration testing. There should also be real consequences for not keeping up on training. This will keep employees aware and vigilant. You can request more info for SAT here.
There are no unbreakable barriers, but each added layer is another obstacle for attackers. Cyber warfare is the future, and countries have to get good at it. Unfortunately, in this war, we are all potentially on the front lines.